Ext4magic-Histogram

Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode

Contents 1 ext4magic histogram function 1.1 Generation process 1.2 Calculation 1.3 Defaults 1.4 Histogram of a directory tree 2 Using the histogram 2.1 Command line examples 2.2 Example output

ext4magic histogram function

The histogram is an utility function of ext4magic. It helps to find out the optimal values for the time options. Timestamps are required for many options of ext4magic. The default values may be inappropriate in a lot of recovery situations (24 hours when dealing with inodes, 5 minutes back from the last deletion in the filesystem in the magic function).

The histogram helps to identify changes in the file system. Usually the time parameters have to be tweaked a while and the histogram will be generated and investigated multiple times until the exact time values for begin and end of events are found. In order to interpret the output results efficiently the following sections should be read carefully.

Generation process

• The time interval defined by the time paramaters is split into 10 time ranges. (or 20 ranges with an additional option "-x")

• All timestamps of the file systems inode are counted which fall in a given time range.

• ext4magic uses the results to create a scale and prints the inodes counted in a time range as a simple bar chart.

ctime, dtime and optionally crtime is calculated in an additional histogram.

Calculation

• Only the last timestamp of inode change is used.

• If inode changes happen in the time range and the last change was "delete", the inode will be counted in the dtime histogram

• If inode changes happen in the time range and the last change was not "delete", the inode will be counted in the ctime histogram

• If inode size is 256 and filesystem is ext4 and a file was created and not deleted at then end of the time range, the inode will be counted in the optional crtime histogram

• The calculation of crtime is independent of ctime and dtime calculation.

Defaults

• Default inodes : The histogram includes all inodes of the file system

• Default time : last 24 hours

Histogram of a directory tree

• If a directory name or a directory inode number is passed as a parameter, only the inode of this directory tree will used.

This is not very accurate. ext4magic loops through the directory structure in the time frame specified in the time options. If a directory tree was deleted as a whole, at runtime ext4magic recreates the tree from the journal. Only the journal information available in the time range specified with AFTER and BEFORE is used. This can limit the found number of inodes in the deleted directory tree because directory activities which happened outside this time range in the journal are not included in the histogram. Therefore a decent change of the time limits can increase the number of inodes which counted in the histogram.

If the time interval is changed the output usually changes significantly because the resolution of the histogram will change and the histogram will span a much smaller time range.

Using the histogram

Command line examples

The default, examine last 24 hours, all inodes

ext4magic DEVICE -H

Examine only a specific directory tree (user-1/Documents), last 24 hours, high resolution

ext4magic DEVICE -H -x -f user-1/Documents

Examine the last 5 days, use of a "date" command,

ext4magic DEVICE -H -a $(date -d "-5 day" +%s) 

This complex time translation with "date" is only required for the first command call. For subsequent calls values for -a and -b ​​can taken from the histogram. (first column)

Subsequent call with time-specific parameters from a previous histogram calls

ext4magic DEVICE -H -a 1272329366 -b 1272329564 

Example output

ROBI@LINUX:/tmp/test1 # ext4magic testfile.iso  -H -a 1272299456 -b 1272375077
Filesystem in use: testfile.iso

|-----------c_time  Histogram-----------------  after  --------------------  Mon Apr 26 18:30:56 2010
1272307018 :        0 |                                                  |   Mon Apr 26 20:36:58 2010
1272314580 :        0 |                                                  |   Mon Apr 26 22:43:00 2010
1272322142 :        0 |                                                  |   Tue Apr 27 00:49:02 2010
1272329704 :       11 |**************************************************|   Tue Apr 27 02:55:04 2010
1272337266 :        0 |                                                  |   Tue Apr 27 05:01:06 2010
1272344828 :        0 |                                                  |   Tue Apr 27 07:07:08 2010
1272352390 :        0 |                                                  |   Tue Apr 27 09:13:10 2010
1272359952 :        0 |                                                  |   Tue Apr 27 11:19:12 2010
1272367514 :        0 |                                                  |   Tue Apr 27 13:25:14 2010
1272375076 :        0 |                                                  |   Tue Apr 27 15:31:16 2010


|-----------d_time  Histogram-----------------  after  --------------------  Mon Apr 26 18:30:56 2010
1272307018 :        0 |                                                  |   Mon Apr 26 20:36:58 2010
1272314580 :        0 |                                                  |   Mon Apr 26 22:43:00 2010
1272322142 :        0 |                                                  |   Tue Apr 27 00:49:02 2010
1272329704 :      103 |**************************************************|   Tue Apr 27 02:55:04 2010
1272337266 :        0 |                                                  |   Tue Apr 27 05:01:06 2010
1272344828 :        0 |                                                  |   Tue Apr 27 07:07:08 2010
1272352390 :        0 |                                                  |   Tue Apr 27 09:13:10 2010
1272359952 :        0 |                                                  |   Tue Apr 27 11:19:12 2010
1272367514 :        0 |                                                  |   Tue Apr 27 13:25:14 2010
1272375076 :        0 |                                                  |   Tue Apr 27 15:31:16 2010


|-----------cr_time Histogram-----------------  after  --------------------  Mon Apr 26 18:30:56 2010
1272307018 :        0 |                                                  |   Mon Apr 26 20:36:58 2010
1272314580 :        0 |                                                  |   Mon Apr 26 22:43:00 2010
1272322142 :        0 |                                                  |   Tue Apr 27 00:49:02 2010
1272329704 :       10 |**************************************************|   Tue Apr 27 02:55:04 2010
1272337266 :        0 |                                                  |   Tue Apr 27 05:01:06 2010
1272344828 :        0 |                                                  |   Tue Apr 27 07:07:08 2010
1272352390 :        0 |                                                  |   Tue Apr 27 09:13:10 2010
1272359952 :        0 |                                                  |   Tue Apr 27 11:19:12 2010
1272367514 :        0 |                                                  |   Tue Apr 27 13:25:14 2010
1272375076 :        0 |                                                  |   Tue Apr 27 15:31:16 2010

In this example, in the time 00:49:02 - 02:55:04 are deleted 103 files.
The next call with -a 1272322142 -b 1272337266 and so on ....
Result with an interval range of 30 seconds

ROBI@LINUX:/tmp/test1 # ext4magic testfile.iso -H -a 1272329366 -b 1272329672
Filesystem in use: testfile.iso

|-----------c_time  Histogram-----------------  after  --------------------  Tue Apr 27 02:49:26 2010
1272329396 :        0 |                                                  |   Tue Apr 27 02:49:56 2010
1272329426 :        5 |*************************                         |   Tue Apr 27 02:50:26 2010
1272329456 :        0 |                                                  |   Tue Apr 27 02:50:56 2010
1272329486 :        5 |*************************                         |   Tue Apr 27 02:51:26 2010
1272329516 :        0 |                                                  |   Tue Apr 27 02:51:56 2010
1272329546 :        0 |                                                  |   Tue Apr 27 02:52:26 2010
1272329576 :        0 |                                                  |   Tue Apr 27 02:52:56 2010
1272329606 :        1 |*****                                             |   Tue Apr 27 02:53:26 2010
1272329636 :        0 |                                                  |   Tue Apr 27 02:53:56 2010
1272329666 :        0 |                                                  |   Tue Apr 27 02:54:26 2010


|-----------d_time  Histogram-----------------  after  --------------------  Tue Apr 27 02:49:26 2010
1272329396 :        0 |                                                  |   Tue Apr 27 02:49:56 2010
1272329426 :        0 |                                                  |   Tue Apr 27 02:50:26 2010
1272329456 :        0 |                                                  |   Tue Apr 27 02:50:56 2010
1272329486 :        0 |                                                  |   Tue Apr 27 02:51:26 2010
1272329516 :        0 |                                                  |   Tue Apr 27 02:51:56 2010
1272329546 :        7 |****                                              |   Tue Apr 27 02:52:26 2010
1272329576 :        3 |**                                                |   Tue Apr 27 02:52:56 2010
1272329606 :       93 |**************************************************|   Tue Apr 27 02:53:26 2010
1272329636 :        0 |                                                  |   Tue Apr 27 02:53:56 2010
1272329666 :        0 |                                                  |   Tue Apr 27 02:54:26 2010


|-----------cr_time Histogram-----------------  after  --------------------  Tue Apr 27 02:49:26 2010
1272329396 :        0 |                                                  |   Tue Apr 27 02:49:56 2010
1272329426 :       25 |*****************                                 |   Tue Apr 27 02:50:26 2010
1272329456 :        0 |                                                  |   Tue Apr 27 02:50:56 2010
1272329486 :       75 |**************************************************|   Tue Apr 27 02:51:26 2010
1272329516 :        7 |*****                                             |   Tue Apr 27 02:51:56 2010
1272329546 :        3 |**                                                |   Tue Apr 27 02:52:26 2010
1272329576 :        3 |**                                                |   Tue Apr 27 02:52:56 2010
1272329606 :        0 |                                                  |   Tue Apr 27 02:53:26 2010
1272329636 :        0 |                                                  |   Tue Apr 27 02:53:56 2010
1272329666 :        0 |                                                  |   Tue Apr 27 02:54:26 2010

This gives an idea what happened here. Files were created and deleted after a few minutes. Most of the same files that were created also were deleted, otherwise there should be more files in the upper crtime histogram. Only 10 files or directories that were created here, are not deleted.

Ext4magic: Inode - Directory - Journal - Install - Time_Options - Histogram - Scenarios - Tips&Tricks - Manpage - Expert-Mode